About this Add-on

New Features: all three buttons are available in menu-button style, with a dropdown arrow; and site exceptions can be set temporarily for the duration of the session.

Quick SetupYou can use Cookie Controller solely from the tools menu, but most people will want to install one or more of the toolbar buttons. Open the customise toolbar palette by right clicking on a toolbar and you will find three buttons that you can drag onto a toolbar anywhere you like. You can choose plain buttons where context menus are accessed using a right click, or menu-buttons where there is a dropdown marker next to the button for accessing the menu.

First drag the Toggle button, the one with a picture of Cookie Controller. This will be red or green, as Cookie Controller decides what your current configuration is closest to, but nothing has changed yet. Click the button to set global cookie permissions. Red indicates that all cookies are denied and this should be your normal setting. Green indicates that cookies are allowed, but only until the end of the session and not 3rd party cookies. The tooltip will always tell you what the current settings are, as well as the total number of cookies currently stored. I recommend that you also activate the "Force Off state at start" setting.

Now drag the yellow cookie Perm button. This will indicate the exact cookie permissions for the current page. When you do not have an actual web page or file loaded it will be disabled and grey. Different icons indicate at a glance whether the current page is allowed to set cookies and the tooltip will give more detail. The tooltip also indicates what action clicking the button performs, either to add or remove an exception for the current host, or you can choose the exact exception type from the menu.

Stop! You probably don't need the third button. If you think you really do, see the advanced configuration section. There are also masses of options on the button context menus and the tools menu, but you will rarely need those either. Simply let Cookie Controller be red and block cookies for you. If you trust a website and want it to remember your login or other settings, click the Perm button to give that site an exception. If you just want to allow cookies temporarily, perhaps when a stubborn website won't work without them, you can click the Toggle button to green and it will allow cookies until you close Firefox.

Advanced ConfigurationThe Toggle buttonThe Toggle button has a menu that allows you instant access to a number of cookie-related dialogs, as well as giving detailed control over the way the Toggle button works. These settings allow any cookie permissions setting supported by Firefox, including hidden options. The button context menu only shows you the options relevant to the current button state, but you can see all the options at once on the tools menu. To experiment with the settings you may find it easier to pin the config menu open using the pin icon, or to hold it open with the ctrl key while you change the settings.

The default toggle settings provide strong privacy by denying all cookies in the off state, while the on state allows access to sites that don't work properly without cookies but still maintaining your privacy by discarding them when Firefox is restarted. The same overall settings apply to DOM storage, which Firefox will not otherwise allow you to see or control.

The 3rd party cookies setting indicates whether cookies can be set which do not share the same domain as the current location showing in the Firefox location bar. These are frequently tracking cookies, but can also be used for legitimate purposes such as syndicated logins. If you allow cookies to be set, especially if you allow cookies that are persistent, then you would probably want to disable this. The visited only setting will not appear in older versions of Firefox. It allows third party cookies to be set only if the host has been visited, actually if are already cookies set for that host so visiting might not be sufficient. Permissions for the host to set 1st party cookies are unaffected. These settings do not apply to DOM storage which does not currently understand the concept of 3rd party.

The on state and the off state each have three more settings to protect your privacy, although not the same three. Expiration days limit is a setting which is hidden in recent Firefox releases and limits the lifetime of any cookie to a set number of days, indicated by the Toggle tooltip and changed in the about:config dialog. This only applies in the on state and clearly only applies if cookies are allowed to be stored.

Both the on and off states have settings for session only and ask about cookies. Either or both of these can be set. Session only on its own will limit all cookies to the length of the current Firefox session. Note that closing Firefox does not necessarily delete these entirely, and some cookies may be recovered after a restart if the previous session is restored. Cookies that do not relate to pages in the session store are irretrievably deleted when Firefox is restarted. The ask about cookies setting causes a dialog to display when a web page wants to set a new cookie or change an existing one. Turning on both of these settings produces a condition where session cookies are stored without asking and persistent cookies produce the ask dialog. This privacy state is not available from the Firefox options dialog.

Finally, in the off state there is a setting to deny all cookies which is self-explanatory. This overrides any other setings that may be checked. Some of the Toggle settings may be greyed out, indicating that they cannot currently be changed because it would create an illegal state. Typically this is a state where the off button is less restrictive than the on button. In some cases, choosing one setting for example the expiration days limit, will deselect others because the combination is invalid. In case of difficulty, try pinning open the tools menu so you can see which settings are conflicting.

The Perm buttonThe second button indicates the exact cookie permissions for the current page host. The icon gives an indication of the state by showing a green tick for allowing persistent cookies, a blue tick for allowing cookies for the duration of this session, a question mark if an ask dialog will be produced for each cookie, a hash/pound symbol if cookies are allowed but will expire after a particular number of days, or a red X if cookies are completely denied. In all cases, the tooltip will indicate in detail the privacy settings for the current page, including the state of third party cookies and DOM storage. Privacy settings for a page may be from the default global settings, or by virtue of an exception that applies to the page.

The tooltip also indicates what action will be performed by left clicking the button. This can also be seen on the right click context menu. There are five radio menu items (four in older versions), one of which shows the current privacy setting which can either be the same as the global settings or an exception for this web site. The bold entry indicates which setting will be applied by clicking the button, or you can select a different setting to add, change, or remove an exception for this host. Allow and deny exceptions are self-explanatory. An allow for session setting allows cookies to be stored, but they will be deleted no later (possibly earlier) than the end of the current session. The recommended exception type, give that you should be browsing with cookies denied globally, if to allow 1st party only. This means that pages belonging to the current host can set (and retrieve) cookies, but that it can't if it would be a third party on a different page. Occasionally this may be too restrictive, for example if you want to access some Facebook functions embedded in other pages and requiring cookies.

The domain name for which exceptions are set can be controlled by two settings on the context menu. It is possible to remove either just any initial "www." or to remove all subdomains, for example stripping scholar.google.com and storing exceptions for google.com. Note that this can cause exceptions set on one page to apply to another with a different subdomain, for example images.google.com. It is possible for there to be conflicting exceptions set at several different levels of a domain hierarchy. You can examine these in detail using the exceptions dialog, but removing and resetting them using the Perm button should remove conflicts and leave you with just an exception according to your current Cookie Controller settings.

The Perm button context menu can also show you all the cookies for this domain, and all the DOM storage items for this origin (scheme plus host plus port). A tooltip will show you the item contents and you can remove it by clicking, or remove all by clicking the relevant menuitems. These options can optionally be hidden from the Perm button and Toggle button context menus.

The Tidy buttonThe third and final Cookie Controller button is the Tidy button, showing a crosshair on an unfortunate cookie. It allows you to delete some or all cookies (or DOM storage) by clicking the button, as well as showing cookie and DOM storage items counts and each individual item. If you need this button, you are probably doing it wrong! If you feel the need to manually delete cookies then your privacy settings, as controlled by the Toggle and Perm buttons, are perhaps wrong. Why allow such cookies on your computer in the first place, or why allow them to last beyond the end of the session or a limited number of days.

So if you really want to see how many cookies each web site has then you can drag the Tidy button onto a toolbar. The tooltip will describe the number of session cookies, persistent cookies, session storage, and local storage items relevant to the current page, as well as totals for Firefox. DOM storage grand totals are not available because Mozilla doesn't feel you have the right to this information. Even cookie counts are not available in private browsing windows because again Mozilla doesn't feel you need to know. You'll just have to trust them when they say they are removed at the end of the session. Reporting and viewing DOM storage is not always accurate. There are a number of outstanding bugs related to session and local storage, although Firefox versions from around 21 are correct most of the time.

Be careful because clicking the Tidy button will remove something and usually it won't ask you first. The tooltip tells you what will be removed, or you can remove a different set of cookies using the right click context menu. Trying to remove every cookie, and all DOM storage, will produce a confirmation dialog, but you can set this not to show if you feel really brave.

The Tools menuTo see all available Cookie Controller settings, open the tools menu and click on Cookie Controller. The tools menu is no longer visible by default and Cookie Controller is not on the Firefox app button to reduce clutter. You can still show the menu toolbar if you wish to use a function that is not available from the Firefox button, such as the Cookie Controller tools menu. The tools menu is also more accessible using only the keyboard. Or you can configure the Cookie Controller tools menu to a location of your choice using a menu editor addon.

Temporary ExceptionsNormally when you set an exception using the Perm button, it lasts forever until you change it or remove it. It is also possible to set an exception just until the end of the current session, so once you restart Firefox that web page will be back to the permissions it had previously. This is done using modified clicks on the Perm button or menu. You can use a middle-click or hold down the CTRL key, then that permission will be temporary. This may be a more convenient way of temporarily allowing permissions to websites that appear not to be working without cookies, but you should probably only use it to allow session cookies so that the cookies themselves are as temporary as the exception that allows them.

For more details on what is happening behind the scenes, read the developer comments at the bottom of this page.

Developer’s Comments

OverviewThe Cookie Controller only provides easy access to functionality already provided by Firefox. The toggle button instantly alters the global cookie permissions that can also be adjusted using the Firefox options dialog. If these settings are changed from the options dialog, manually in about:config, or programmatically using javascript then Cookie Controller will attempt to display the corresponding state on the button icon, with respect to your configured on and off states. These external changes will not alter the Cookie Controller settings for the on and off states, nor will it alter the Firefox settings in any way until you press the button to toggle states. The permissions button sets or removes exceptions for particular sites, which can also be done through the Firefox options dialog or in other ways. . However, it is recommended that you only alter those settings using the Cookie Controller button to avoid confusion.

Toggle ButtonMost of the toggle button configuration menuitems are obvious enough, but some of the more exotic combinations go beyond the publicly visible Firefox preferences. The tooltip is your friend and should explain the settings more fully than most other documentation you'll find. If you alter the Cookie Controller preferences manually then you could put the toggle button into an illegal state. Cookie Controller will attempt to correct faults such as this, generally by setting the Off state to Deny All. If you get in a complete pickle then resetting all the extensions.cookieController preferences to defaults should fix things.

Permissions ButtonThe site permissions button maps the global cookie permissions settings and cookie exceptions to one of four conditions: default, meaning there are no exceptions; allow, meaning there is an Allow exception for the current host domain or one of its parents; session, meaning there is an Allow Session exceptions for the current host domain or one of its parents; and deny, meaning there is a Block exception for the current host domain or one of its parents. In the default condition, the global cookie settings are shown for the site, mapped as allow, session, ask, deny, or limit expiry to a certain number of days. The icons should be fairly self-explanatory, with a red cross for deny, a green tick for allow, a blue tick for session, a question mark for ask, and a hash mark for an expiration days limit.

The context menu has menuitems for the four conditions, indicating the one that applies to the current page and the one which would come into effect if the button was clicked. Any of the four permissions condition menuitems can be selected to create or remove exceptions.

The domain used for creating exceptions can be configured as the subdomain of the site, or any "www." may be stripped, or the entire subdomain may be stripped. This applies to new exceptions which are stored. Cookie Controller understands permissions provided by exceptions other than the configured type, for example an exception for "mozilla.org" providing cookie permissions for "addons.mozilla.org". When Cookie Controller is asked to remove an exceptions it will remove exceptions for all domains that can affect cookie permissions for the current host, except for top-level domains. Top-level domains cannot be adjusted using Cookie Controller and are not recommended to be used at all, although Cookie Controller understands them and will show the correct permissions if a top-level domain exception has been created manually.

If you decide to set an exception that is different from an existing exception, then an existing exception with the exact same domain string will be replaced with the new one. Exceptions for other domain strings that could affect the current page will not be touched. This could lead to confusion where an exception is set, for example on mozilla.org, but permissions for the page do not change because an existing exception already exists for addons.mozilla.org which overrides the one for mozilla.org. It is recommended that you choose a type of domain adjustment and stick with it. The default is to strip all subdomains from exceptions. If you get stuck in this situation, rather than manually going through the Firefox exceptions dialog, clicking the permissions button two or three times should remove all the relevant exceptions and set a single one that matches your current configuration.

Tidy ButtonThe tidy button functions are very straightforward in use, very complicated behind the scenes. This is to allow counting of every single cookie without slowing down the browser. A single instance of of the total numbers of session and persistent cookies are maintained to support mapping the tidy button state, tooltip, and context menu. The button changes in real time in response to cookie changes, as do the tooltip and context menu if they are visible. Only changes that potentially affect a particular button, tooltip, or menu visible in a window are acted on by that window.

Cookie CountingAt application startup every cookie is counted and classified. Because this can take a noticeable amount of time if there are more than a few hundred cookies, it is deferred and you might just be able to spot the buttons being initialised shortly after a new page is loaded. Cookie adds and deletes are straightforward to count, while complex but uncommon cookie changes simply reset every page. Cookie changes are by far the most common and do not change the total cookie count, but may result in a downgrade or upgrade to or from a session cookie to a persistent cookie. This uncommon type of change is detected using a deferred query of the cookie database. This query is executed only in response to a cookie changed event and at most once per second so that multiple rapid cookie changed events do not hurt performance.

Detecting cookies from private browsing windows is seriously broken and Cookie Controller does not even attempt to do this. If you use existing Firefox dialogs to try and see the cookies that have been stored by a private browsing window, you will actually be shown cookies stored by non-private browsing windows. Attempting to manually delete private browsing cookies is taking your life in your hands, and you may delete non-private cookies instead. I suggest you don't do at all, and simply restart Firefox when you feel the urge to purge.

DOM StorageCookie Controller attempts to display the permissions being used for session storage and local storage, and also the storage items themselves. Support for this is incomplete in versions prior to FF21. The most likely thing you'll come across in current Firefox releases is local storage items being reported incorrectly when privacy settings are to allow session only. Strangely, DOM storage in private browsing windows is reported better than cookies, better even than in normal windows. One major omission is any ability to count all DOM storage items currently held by Firefox, so no grand totals. There could be thousands of them and you'll never know.

Per-window Private BrowsingStarting in Firefox 20 there is no private browsing mode, only individual private browsing windows. This has been implemented in a half-assed way. Cookies in private browsing windows cannot be counted, viewed, or deleted. By anyone! Firefox's own options dialog will not show them to you, nor will clearing your history delete them (this might work in recent Firefox versions, depending on how you do it, but how will you know if it worked or not?). So Cookie Controller will not be able to show you cookies, or even cookie counts, from private browsing windows. Please ping Mozilla about this, not me.

File urlsCookies and DOM storage are technologies for storing small amounts of data for and from web pages and they are designed to work with pages that have http (and https) addresses which include a hostname and path (the path may be blank). Firefox has shoe-horned in some workarounds to let cookies and DOM storage work from pages that have file urls, that is addresses of the format file://path/filename.extension, and now Cookie Controller also works with them. These urls have no host to associate with cookies or permission exceptions. Therefore file url cookies all have a blank host, while DOM storage uses the entire url as its origin. Permissions have been set using the magic string <file> as a pseudo-host such that all file urls get the same permission. In recent versions of Firefox work has been done to support different cookie exceptions for different file paths by using the whole path as a pseudo-host. When this is fully implemented, Cookie Controller will also allow these types of exceptions.

Version Information

Version 3.8
Released February 9, 2015
59.6 kB
Works with
Firefox 17.0 and later

Disable counting DOM storage items in e10s mode until this can be made to work safely.

Development Channel

The Development Channel lets you test an experimental new version of this add-on before it's released to the general public. Once you install the development version, you will continue to get updates from this channel. To stop receiving development updates, reinstall the default version from the link above. Install development version

Caution: Development versions of this add-on have not been reviewed by Mozilla.